The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for...
4.3CVSS
6.9AI Score
0.001EPSS
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level...
4.3CVSS
7.2AI Score
0.001EPSS
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SolidWP Solid Security – Password, Two Factor Authentication, and Brute Force Protection.This issue affects Solid Security – Password, Two Factor Authentication, and Brute Force Protection: from n/a through...
6.1CVSS
7.1AI Score
0.0005EPSS
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor...
7.5CVSS
7.2AI Score
0.001EPSS
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's...
5.3CVSS
7AI Score
0.001EPSS
The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example....
4.8CVSS
4.9AI Score
0.001EPSS
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site...
6.1CVSS
6AI Score
0.001EPSS
The two-factor-authentication plugin before 1.1.10 for WordPress has XSS in the admin...
6.1CVSS
6.3AI Score
0.001EPSS
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce...
8.8CVSS
8.8AI Score
0.008EPSS